Below, some information can help you to majke your website GDPR. GDPR is new european directive to allow all the customers to control their data.
GDPR Requirement for your E-commerce website - General
EU GDPR will affect businesses both inside and outside of the EU. Any non-EU company dealing with EU customers will have to comply with the GDPR.
To achieve full compliance by the end of May 2018, WooCommerce businesses will need to:
Tell the user who you are, what data you collect, why you collect the data, for how long you retain it and which third parties receive it (if any)
Get a clear consent before collecting any data
Let users access their data
Let users download their data
Let users delete their data
Let users know if a data breach has occurred
If you don’t strictly adhere to these rules, you will eventually get fined up to €20 million or 4% of your worldwide annual turnover, whichever is greater…
Now, this is good to know, but actually, the most important question is: what changes am I required to do on my WordPress/WooCommerce website?
Well, with my goal being translating GDPR in plain English and in “WordPressian” (a new language I just created), the 6 rules outlined above will have implications on:
ClicShopping Terms & Conditions (Checkout page)
ClicShopping User registration (My Account page)
ClicShopping Cart Abandonment (Checkout page)
ClicShopping product reviews (Single Product page)
ClicShopping comments (Blog pages)
ClicShopping opt-in forms (Newsletter, notification, etc.)
ClicShopping contact forms (Contact Us page, widgets, etc.)
ClicShopping analytics (Google Analytics, etc.)
ClicShopping Plugins & APIs (Payments, Email marketing, etc.)
That’s quite a lot of work…
Once again, please double check this with a lawyer or a GDPR consultant as I’m neither of the two.
GDPR Compliance Step 1: ClicShopping Terms & Conditions
If you have no T&C page at all, you can use some of the online generators (google “terms and conditions generator” or “terms and conditions template”), use a premium service like iUbenda, or alternatively take a look at T&C pages on popular e-commerce websites to get some inspiration
Once this is done, the Clicshopping checkout will show a checkbox on the checkout page with default text and a link to the T&C page you selected in the previous step:
Create a T&C page if you have none (you can use a T&C generator or take a look at popular e-commerce T&C pages – remember to refine the document for your specific legal agreements and have it revised by a lawyer)
Use the ClicShopping Checkout Settings to add a checkbox to the Checkout page
Surely, you will need to cover the following:
who you are (company, address, etc)
what data you collect (IP addresses, name, email, phone, address, etc)
for what reason you collect the data (invoicing, tracking, email communication, etc)
for how long you retain it (e.g. you keep invoices for 6 years for accounting purposes)
which third parties receive it (MailChimp, Google, CRM, etc)
how to download data (either automatically or by emailing the Data Protection Officer)
how to delete data (either automatically or by emailing the Data Protection Officer)
how to get in touch with you for data-related issues (the contact details of the assigned Data Protection Officer, probably you)
GDPR Compliance Step 3: ClicShopping User Registration
Also remember to only collect information you strictly require to run your business.
GDPR Compliance Step 4: ClicShopping Product Reviews
Ah, product reviews! In ecommerce, they really matter, don’t they?
Of course, reviews contain personal data. You got it, you need user consent.
This is against the GDPR, which requires explicit consent (i.e. ticking a box).
Simple as that !
GDPR Compliance Step 6: ClicShopping Comments
If your ClicShopping pages and posts have comments, here comes another GDPR compliance problem.
Users are usually prompted to enter their name, email address and website URL together with their message without the need to register an account (this happens on Business Bloomer for example, but maybe in your case you might force user registration in which case you’re GDPR compliant in regard to ClicShopping comments by default).
GDPR Compliance Step 7: ClicShopping Opt-in Forms
An opt-in form is a contact form where users enter their name and email address (usually) to join your email marketing list (or database of contacts).
First of all, you must remove all automatic opt-ins on your site. All checkboxes must be not checked by default (a “checked” checkbox by default cannot imply acceptance).
Besides, are you passing those email addresses to sub-companies or other partners? Hopefully not…
Either way, users must:
know why their personal data is needed (“Enter your email address to receive our weekly newsletter“)
give you only relevant information (to join your newsletter you don’t need to ask for the date of birth… unless you want to send them a gift on their birthday! In this case, you’ve got to make it clear WHY you want that personal piece of data
know how to delete/download the data at any time
know how to opt-out
Usually, an opt-in form is tied to a specific software e.g. Mailchimp
Whoever you send that email address to, make sure they are reliable (Mailchimp, ConvertKit, Aweber, etc.) and that they are actively working on HELPING you being GDPR-ready.
Audit all your opt-in forms
See if your opt-in form / newsletter / email marketing provider has a GDPR solution
GDPR Compliance Step 8: ClicShopping Contact Forms
If the contact form is going to store personal data in a database and/or is tied to an email marketing software, you need to tell your users why and where you’re storing data
GDPR Compliance Step 9: ClicShopping Analytics
Whether you use Google Analytics, Metorik, or both, you’re capturing user data and using cookies without consent. Same applies to Google AdWords, Facebook pixels and similar.
The best thing to do in this case is to check each provider’s GDPR policy, because THEY are collecting the data and not YOU. You’re just passing data to THEM: “Under the GDPR, if you use Google Analytics, then Google is your Data Processor. Your organization is the Data Controller since you control which data is sent to Google Analytics“.
According to Google Analytics Team (they sent an email to all account holders on April 11th 2018):
GDPR requires your attention and action even if your users are not based in the European Economic Area (EEA)
They introduced granular data retention controls that allow you to manage how long your user and event data is held on our servers. Google Analytics will automatically delete user and event data that is older than the retention period you select
Before May 25, Google Analytics will also introduce a new user deletion tool that allows you to delete all data associated with an individual user (e.g. site visitor) from your Google Analytics properties
GA remain committed to providing features for customizable cookie settings, privacy controls, data sharing settings, data deletion on account termination, and IP anonymization
They are also updating their policies as Data Processors
Indeed, I just found this new section in my GA account:
Only use reliable, GDPR-compliant tracking software
Ask software providers how they’re handling GDPR compliance
GDPR Compliance Step 10: ClicShopping Plugins
This is a very important section, but I won’t keep you here for too long.
It’s very easy.
Does plugin _____ either get, read, store, use, edit, handle, access user personal data?
Simply ask yourself this question for each plugin.
If the answer is yes:
make sure it’s a reliable plugin
make sure they are GDPR ready
If the answer is no:
are you 100% sure?
really, really sure?
good then, you don’t need to do anything
Who knew GDPR was actually a good thing!
Ask yourself the “magic” GDPR question about each plugin and theme
Select GDPR-compliant plugins
Discard non-GDPR-compliant plugins
GDPR Compliance Step 11: ClicShopping APIs
We already mentioned this before, but “API” cover a lot of different applications. But first, what the heck is an API (in plain English pleaseeee)?
An API (Application Programming Interface) is basically “a piece of code” that allows you to access an external software without ever leaving your website.
API is used for transmitting data between two parties. A good analogy is to think about a bus traveling from one city to another, back and forth, moving people between the two points (data). Another good one (allow me to be a little Italian about it!) is to think about API as a waiter that takes your pizza order and lets the kitchen know what toppings you want Either way, an API is a “data connector” – private data might be passed from your website to another software and viceversa, hence GDPR applies.
users can join your Mailchimp list without ever leaving your website, thanks to Mailchimp API
users can checkout with Stripe without ever leaving your site, thanks to Stripe API
and so on…
Facebook, Twitter, any kind of third party software give you APIs. These APIs connect your ClicShopping store to the outside world, passing data to it – possibly private, personal user data.
As long as you know:
what APIs you use ?
what data is sent ?
if the API is GDPR compliant
Audit all your APIs
Discard non-GDPR-compliant APIs
GDPR Compliance Step 12: Breach Notifications
Under the GDPR, if your website experiences a data breach this needs to be immediately communicated to those users affected by the breach. A notification must be sent within 72 hours.
What’s a data breach by the way?
Well, this occurs when personal information is passed to:
an unauthorized data processor or subcontractor
a non-GDPR compliant body
a third party without the knowledge of the data subject
On top of this, you will need to have a security data breach response plan and process in place.
Secure your ClicShopping website please!
Subscribe to all your third-party software / API providers so that you can become aware as soon as a data breach that affects your users occurs
Reduce the amount of data you store. Brilliant workaround, isn’t it?
Have a data breach emergency plan